The U.S. Office of the Comptroller of the Currency (OCC), a key banking regulator, officially classified a significant breach of its email system as a "major information security incident" after discovering that unauthorized actors accessed highly sensitive bank supervisory data for approximately eight to nine months before detection.
What happened
The OCC first learned of "unusual interactions" involving a system administrative account and user mailboxes within its office automation environment on February 11, 2025. By February 12, the agency confirmed the activity was unauthorized, immediately activated its incident response protocols, reported the event to CISA (Cybersecurity Infrastructure and Security Agency), and disabled the compromised administrative accounts, terminating the unauthorized access.
However, subsequent investigations, including internal reviews and those by independent third parties, revealed the intrusion was far more extensive than initially understood. According to Bloomberg News, citing sources familiar with the investigation, the unauthorized access began as early as May or June 2024 and continued until its discovery in February 2025. During this prolonged period, the attackers accessed approximately 150,000 emails from around 100 to 103 accounts, including those belonging to senior OCC executives and employees.
What's new
On April 8, 2025, the OCC formally notified the U.S. Congress that the breach met the criteria for a "major incident" under the Federal Information Security Modernization Act (FISMA). This classification stems from the confirmation that the compromised emails and attachments contained "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes." Acting Comptroller of the Currency Rodney E. Hood explicitly stated that "long-held organizational and structural deficiencies" contributed to the incident and vowed "full accountability for the vulnerabilities identified and any missed internal findings." The OCC is launching a thorough evaluation of its IT security policies and procedures and is engaging third-party cybersecurity experts for review, potentially bringing in additional experts to assess internal cyber incident processes.
Why it matters
The prolonged, undetected access to highly sensitive regulatory information concerning the health and oversight of U.S. national banks represents a significant security failure within a critical financial regulator. Exposure of such data carries risks of potential misuse for market manipulation, espionage, or enabling targeted attacks against financial institutions. While the OCC stated in February that there was "no indication of any impact to the financial sector," the sensitivity of the compromised data could still lead to "demonstrable harm to public confidence," according to Bloomberg reports citing OCC communications.
What they're saying
Acting Comptroller Rodney Hood acknowledged internal failings, stating, "I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident." He assured "full accountability." Security expert David Shipley described the incident as "massively serious" and questioned whether regulatory agencies possess adequate resources to defend against sophisticated threats, noting the audacity required to target a Treasury bureau. Expert Gabrielle Hempel stated the potential for market destabilization and suggested the need for enhanced security measures like zero-trust architecture within the agency.
The big picture
This major incident at the OCC follows other significant cybersecurity events impacting the U.S. Department of the Treasury, including a breach disclosed in December 2024 attributed to the Chinese state-sponsored group Silk Typhoon. While officials have not confirmed any link between the incidents, the OCC breach proves the persistent and sophisticated cyber threats facing government agencies that handle critical national economic and security information. Government agencies need to acknowledge internal organizational deficiencies to prevent future compromises and address systemic vulnerabilities alongside technical defenses.
FAQs
What is the OCC?
The Office of the Comptroller of the Currency is an independent bureau within the U.S. Department of the Treasury that regulates and supervises all national banks, federal savings associations, and federal branches of foreign banks.
What information was exposed?
Highly sensitive information concerning the financial condition, examinations, and supervisory oversight of federally regulated banks was contained within the accessed emails and attachments.
Why was this classified as a "major incident"?
Under FISMA guidelines, an incident may be deemed "major" based on the sensitivity of the information compromised and its potential impact, such as harm to national security, economic security, or public confidence. The nature of the bank supervision data accessed met these criteria.
